Re: RFC: changes to default password strength checks in pam_unix
On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote:
> On Sun, Sep 02, 2007 at 02:39:25PM -0700, Steve Langasek wrote:
> > The upstream default of 6 has been around for at least 5 years, possibly as
> > long as a decade; and the code in question is inactive when pam_unix is
> > linked to cracklib, which I think most distributors other than Debian are
> > doing (we confine the use of libcracklib to the separate pam_cracklib
> > module, to keep cracklib out of base); so there probably isn't any modern
> > justification for this default at all.
> Just curious, what is the rationale for wanting to keep cracklib out of
> base?
Size and complexity. Adding libpam-cracklib to base would be a 2MB increase
in the size of a minimal Debian system on i386, and add 5 packages to the
list of what has to be installed before the user can do something as simple
as set the initial root password. Also, in terms of modularity, I don't
think it makes sense for pam_unix to link to cracklib anyway when we have a
separate pam_cracklib module for that (whether it's in a separate package or
not).
I also think that enabling cracklib password checking is probably not a
reasonable default for single-user systems, because however much we might
like users to use secure passwords, the hassle of disabling cracklib if the
user disagrees with us on this point is enough to make this a very
unpleasant user experience. Maybe if and when we have better up-front
documentation of what the password requirements are we could consider this
as a default, but I don't want users to go through the experience of hitting
five different password strength rules, one-by-one, in the
ever-more-frustrating process of trying to set a password.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: